A blog about Cyber Security & Compliance

A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act (DPA).

Usha Patwal, of Romford, was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court after unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking.

The offence was uncovered when Patwal’s sister-in-law received text messages indicating that the texter knew about the medication she was taking.

The ICO investigation uncovered that Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010.

Further enquiries found that medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist. The fax has never been found and Mrs Patwal did not co-operate with the ICO investigation by giving an explanation for her actions.

“Medical records contain some of the most sensitive information possible. The medical centre’s receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data.

“Ms Patwal used her insider knowledge of the healthcare system to blag this information in an act that she believed would go undetected. The message from this case is clear: if you unlawfully obtain personal information there is always an audit trail, and you could end up in court.”